ParkerVision WR3000 Network Router User Manual


 
WR3000 4-Port Wireless DSL/Cable Router
®
92
12.2 Firewall Policies Overview - Continued
If you confi gure fi rewall rules without a good understanding of how they work, you might
inadvertently introduce security risks to the fi rewall and to the protected network. Make
sure you test your rules after you confi gure them.
For example, you may create rules to:
• Block certain types of traffi c, such as IRC (Internet Relay Chat), from the LAN to the Internet.
• Allow certain types of traffi c, such as Lotus Notes database synchronization, from specifi c
hosts on the Internet to specifi c hosts on the LAN.
• Allow everyone except your competitors to access a Web server.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by comparing the Source IP address, Destination IP address and
IP protocol type of network traffi c to rules set by the administrator. Your customized rules take
precedence and override the WR3000 Wireless Router’s default rules.
12.3 Rule Logic Overview
Study these points carefully before confi guring rules.
12.3.1 Rule Checklist
1. State the intent of the rule. For example, “This restricts all IRC access from the LAN to the
Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to
an inside Notes server.”
2. Is the intent of the rule to forward or block traffi c?
3. What direction of traffi c does the rule apply to (refer to 12.2)1
4. What IP services will be affected?
5. What computers on the Internet will be affected? The more specifi c, the better. For example,
if traffi c is being allowed from the Internet to the LAN, it is better to allow only certain
machines on the Internet to access the LAN.
12.3.2 Security Ramifi cations
Once the logic of the rule has been defi ned, it is critical to consider the security ramifi cations
created by the rule:
1. Does this rule stop LAN users from accessing critical resources on the Internet? For
example, if IRC is blocked, are there users that require this service?
2. Is it possible to modify the rule to be more specifi c? For example, if IRC is blocked for all
users, will a rule that blocks just certain users be more effective?
3. Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20,21) are allowed from the Internet to the
LAN, Internet users may be able to connect to computers with running FTP servers.
4. Does this rule confl ict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of plugging the
information into the correct fi elds in the Web Confi guration Utility screens Source Address.